Virus:Win32/Virut.BM is a polymorphic file infector that targets .EXE and .SCR files. This virus also opens a backdoor by connecting to an IRC server, allowing a remote attacker to download and execute arbitrary files on the infected computer. It uses advanced techniques to hide infection.
Executable File Infection
Win32/Virut.BM disables Windows System File Protection (SFP) by injecting code into WINLOGON.EXE. The injected code patches sfc_os.dll in memory which in turn allows the virus to infect files protected by SFP.
The virus infects .EXE and .SCR files on access, hence actions such as copying or viewing files with Explorer, including on shares (with write access) will result in files being infected, and the virus spreading from machine to machine.
The virus injects its own code into a system process such as explorer.exe or winlogon.exe, and hooks low-level (NTDLL layer) Windows API calls in order to stay in memory. It hooks the following functions in each running process (NTDLL.DLL):
Thus, every time an infected process calls one of these functions, execution control is passed to the virus.
HTML File Infection
It writes code to HTML files that adds a hidden IFrame pointing to the domain 'zief.pl'. When the HTML file is opened, the browser connects to this server without the user's knowledge. The HTML page hosted at this location attempts to exploit a number of different vulnerabilities (including those affecting the user's browser and other applications) in order to run a copy of the virus. These modified HTML files are detected as Virus:HTML/Virut.BH.
The virus also modifies the local machine's hosts file, redirecting the domain 'zief.pl' to localhost (127.0.0.1) so that already-infected machines will not run the remotely-hosted copy of the virus.
Virut.BM connects to Internet Relay Channel (IRC) server 'irc.zief.pl' via port 80 using a particular channel. Should this fail, it instead attempts to connect to 'proxim.ircgalaxy.pl' also using port 80.
It contains functionality to download and execute arbitrary files on the affected system. This may include additional malware. The backdoor can also be used to change the host that it connects to for control.
Virut.BM creates the event 'Vx_5' to prevent multiple copies of itself from running simultaneously on the affected system. A minor variant may create another mutex "l0r5".
Analysis by Hamish O'Dea and Chun Feng